The ISO/IEC 17021-1:2015 is a global guideline designed to shape how organizations that perform audits and certifications for management systems should operate. Released by the International Organization for Standardization and the International Electrotechnical Commission, this standard aims to improve the reliability and uniformity of these audits and certifications by outlining the essential requirements these organizations should fulfill.

Here, we’ll cover the basics of this document, touching on the more significant requirements and guidelines found in each section.

Breaking Down ISO 17021

This standard covers various auditing and certification aspects, including staff competence, reporting, and procedures. It outlines requirements for auditor competence, impartiality, consistency, and the process for conducting audits and issuing certificates. 

As you work through the documentation for this standard, you’ll come across these overarching sections outlining all guidelines and practices required. These include:

Principles

The guidelines outlined in ISO/IEC 17021-1:2015 serve as the backbone for what the standard demands. These guidelines ensure that the certification process is fair, skilled, responsible, and transparent. Though I can’t share the full text of the standard since it’s copyrighted, I can give you an overview of some of its key points.

• Impartiality: The certification body should be impartial in all its activities and decisions. Conflicts of interest must be identified and managed to ensure impartiality. This is important for gaining trust in the certification process.
• Competence: Those involved in the certification process must possess the appropriate skills and knowledge. Certification bodies must ensure that their personnel, including auditors and decision-makers, perform their functions competently.
• Responsibility: The certification body has the ultimate responsibility for its activities and decisions. This means that the body must refrain from outsourcing or delegating the responsibility for ensuring the quality and impartiality of its certifications.
• Openness: A certification body should be transparent about its policies and procedures. Information about the certification process should be publicly accessible, except where confidentiality is required.
• Confidentiality: The certification body must safeguard confidential information. Procedures should be in place to protect sensitive information obtained or created during the certification process.
• Risk-Based Approach: Certification bodies must adopt a risk-based approach to their activities. This approach is intended to identify risks and opportunities that could affect the integrity of certification and manage them appropriately.
• Responsiveness to Complaints: The certification body must have a defined process to receive, evaluate, and decide on complaints. This ensures that any complaints are handled impartial, transparent, and timely.

General Requirements

These include the legal and contractual obligations of the certification body, ensuring that the organization is competent and can function impartially.

• Legal and Contractual Matters: The certification body must be a legally identifiable entity responsible for its activities. The certification body must have formal agreements specifying the responsibilities of each party involved, including clients.
• Liability and Financing: Certification bodies must be capable of assuming responsibilities and weaknesses and have the financial resources to operate. This ensures that the certification body can cover potential liabilities and has the resources to conduct certification activities properly.
• Non-Discriminatory Conditions: The certification body must impartially offer its services to all applicants and not discriminate. Access to certification must be fair and open, irrespective of the size or affiliations of the organization seeking certification.
• Confidentiality and Publicly Accessible Information: The body must have policies to maintain the confidentiality of information and make certain certification-related information publicly accessible. Confidentiality and transparency must be balanced to maintain trust.
• Structural Requirements: This refers to how the certification body is organized, especially to maintain impartiality. This includes avoiding conflicts of interest and ensuring that activities like consulting do not interfere with the impartiality of the certification process.

Organizational Structure and Top Management

The certifying organization should have a well-defined structure that outlines everyone involved’s roles, responsibilities, and decision-making powers. This setup is crucial for managing any possible conflicts of interest and maintaining the fairness and consistency of its operations.

• Committee for Maintaining Fairness: Many certifying organizations are expected to form a committee that upholds impartiality. This group helps make sure all activities are conducted without bias.
• Staying Independent: The certifying body must operate independently, free from influences from other groups or vested interests that could sway its impartiality. There should be protocols to manage conflicts of interest and guard against external pressures.
• Objective Decision-Making: All certification-related activities need to be carried out with an unbiased approach. The choices made during the certification process should be immune from any influences that could jeopardize objectivity.
• Subcontracting Work: If any audit or certification tasks are outsourced, the certifying body must ensure that the subcontractor follows the relevant ISO/IEC 17021-1 guidelines. This keeps the certification’s integrity intact, even when parts of the process are handled externally.
• Staff Requirements: This section zeroes in on the qualifications of everyone involved, from the auditors to any technical specialists who participate in the audit and certification steps.
• Skills and Qualifications: The certifying organization must ensure that everyone participating in the certification process is adequately skilled and qualified. This involves establishing criteria for their education, training, technical acumen, and professional experience.
• Employing Outside Experts: When external auditors or specialists are utilized, they should meet the same qualification criteria as internal staff to ensure that the quality and thoroughness of the certification process remain consistent, no matter who’s carrying out the tasks.
  
• Personnel Records: Records must be kept to demonstrate that all personnel meet the requirements for competence. This provides traceability and accountability for the qualifications of the individuals involved.
• Monitoring of Performance: Auditors and other personnel must be monitored to ensure competence. This can include peer review, ongoing training, and other performance evaluation forms.

Information Requirements

This part of the standard outlines the requirements for management systems documentation, including records of complaints and appeals and information that must be publicly available.

• Management of Information: The certification body must manage and maintain all information related to certification activities. This covers the handling of confidential information, as well as the information that is to be made publicly available.
• Certification Documents: The certification body must provide documents that accurately reflect the scope and details of the certification. This is crucial for transparency and the utility of the certification to the organization that receives it.
• Directory of Certified Organizations: A publicly accessible directory of certified organizations may need to be maintained. This increases transparency and allows interested parties to verify the status of certifications.
• Control of Records: Records related to the certification activities must be securely stored and controlled. This includes audit reports, certification documents, and related records, which must remain accessible for future reference, complaints, or appeals.

Process Requirements

This segment details the requirements for the certification processes, including audit planning, conducting audits, granting certifications, surveillance activities, and renewing or withdrawing certification.

• Application Review and Contract: The certification body must review applications for certification and enter into a formal agreement with the client. This ensures that the body and the client mutually understand the scope and requirements for certification.
• Development of Certification Programs: The certification body must have established procedures for developing its certification programs. This is important for ensuring that the certification programs meet applicable standards and are fit for purpose.
• Audit Process: Detailed procedures must be established for conducting audits, including planning, performing, reporting, and follow-up. This ensures the consistency and effectiveness of audits.
• Decision on Certification: The certification body must have a formal process for making certification decisions. This decision-making process must be impartial and based on the evidence gathered during the audit.
• Surveillance Activities: Once certification is granted, ongoing surveillance activities must be carried out to ensure continued compliance. This can include regular audits and other checks.
• Change of the Scope of Certification: Procedures must exist for renewing, extending, or reducing the scope of certification. This ensures that certifications remain current and relevant.

Management System Requirements

The standard requires the certification body to have a management system in place. To streamline adoption, ISO gives organizations two different approaches:

1. Using general management system requirements, which are explored in-depth in the document (drawing from the sections listed above) and
   
2. Compliance with ISO 9001 (the standard for Quality Management Systems).

Stay on Top of ISO 17021 with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

• FedRAMP
• StateRAMP
• GDPR
• NIST 800-53
• FARS NIST 800-171
• CMMC
• SOC 1, SOC 2
• HIPAA
• PCI DSS 4.0
• IRS 1075
• COSO SOX
• ISO 27000 Series
• ISO 9000 Series
  
• ISO Assessment and Audit Standards

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.